WO2015072689A1 - 안티디버깅 방법 - Google Patents

안티디버깅 방법 Download PDF

Info

Publication number
WO2015072689A1
WO2015072689A1 PCT/KR2014/010446 KR2014010446W WO2015072689A1 WO 2015072689 A1 WO2015072689 A1 WO 2015072689A1 KR 2014010446 W KR2014010446 W KR 2014010446W WO 2015072689 A1 WO2015072689 A1 WO 2015072689A1
Authority
WO
WIPO (PCT)
Prior art keywords
state
child
parent
debugging
monitoring
Prior art date
Application number
PCT/KR2014/010446
Other languages
English (en)
French (fr)
Korean (ko)
Inventor
남재민
박정근
홍준호
오준석
김정수
Original Assignee
(주)잉카엔트웍스
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)잉카엔트웍스 filed Critical (주)잉카엔트웍스
Priority to US15/036,535 priority Critical patent/US20160300044A1/en
Priority to CN201480065611.2A priority patent/CN105793860A/zh
Priority to JP2016530187A priority patent/JP2016538641A/ja
Publication of WO2015072689A1 publication Critical patent/WO2015072689A1/ko

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/366Software debugging using diagnostics
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/106Enforcing content protection by specific content processing
    • G06F21/1064Restricting content processing at operating system level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/16Program or content traceability, e.g. by watermarking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering

Definitions

  • This embodiment has a main object to provide an anti-debugging method.
  • the static analysis method does not execute the program file but analyzes the file itself.
  • Binary program files are analyzed using a disassembly tool or a decompile tool. These tools can translate binary program files into assemblies and other high-level languages and present them, and analyze them to understand the logic of the program.
  • the dynamic analysis method executes a program and analyzes the program by looking at the program's running code, memory state, and register state in a debugging tool.
  • the analysis method using the debugger makes it easy to understand the logic of the program because it analyzes the flow of the running code and can determine where the actual code is executed and what is not. You can also modify the values in memory or registers during analysis.
  • Such an analysis method by debugging is widely used because the scope of analysis is wider than the static analysis method, such as changing the data in real time during the logical flow or execution of a program.
  • Anti-Debugging is a technique that prevents debugging by preventing debugging. If you are debugging, you can use various methods to interrupt the analysis, such as terminating the debugger program or generating an error.
  • the conventional anti-debugging technology mainly checks whether a debugging program is running so that the debugging target program is not executed. However, this method has a problem that it is difficult to cope with an unexpected situation such as the appearance of a new debugging program.
  • anti-debugging technology is limited to a specific operating system or processor. For example, the Windows operating system uses a method of determining whether to debug using IsDebuggerPresent (), CheckRemoteDebuggerPresent (), and NtGlobeFlag values provided by Windows. However, this method has a problem in that Linux, Unix, OS X, etc. do not provide the same or similar APIs and thus cannot be used.
  • This embodiment has a main purpose to provide an anti-debugging method by monitoring the state of a process.
  • a method for performing anti-debugging by an anti-debugging device comprising: generating a child process; A parent process monitoring process of monitoring a state of a parent process in the child process; And a child process monitoring process of monitoring a state of the child process in the parent process.
  • an anti-debugging device comprising: a child process generator included in a parent process and generating a child process; A parent process monitoring unit included in the child process and monitoring a state of the parent process; And a child process monitoring unit included in the parent process and monitoring the state of the child process.
  • the parent process monitors the state of the child process in real-time, and the child process monitors the state of the parent process in real time.
  • a parent or child process enters the debugging state (that is, tracked or stopped), it immediately kills the parent process and the child process, preventing further execution of the program in the debugging state.
  • the program can be protected from an attack of a frequently used memory cheat program that hacks a game or the like. Since the operation principle of the memory cheat program is performed after first switching the state of the target program to the tracked (Traced or Stopped) state, according to an embodiment of the present invention, the process is checked by checking that the tracked state is in the tracked state. If you do, you can protect yourself from attacks by memory cheat programs by killing the process.
  • 1 is a block diagram of a computer for providing anti-debugging.
  • FIG. 2 is an exemplary diagram of a configuration of a process control block.
  • FIG. 3 is an exemplary diagram of a state transition process of a process.
  • 4A is a flowchart of a process of monitoring a child process by a parent process according to the present embodiment.
  • 4B is a flowchart of a process in which a child process monitors a parent process according to the present embodiment.
  • FIG. 5 is an exemplary diagram of a state where a parent process and a child process monitor each other according to the present embodiment.
  • FIG. 6 is a block diagram of an anti-debugging device according to the present embodiment.
  • FIG. 1 is a block diagram of a computer providing anti-debugging.
  • 1 is a computer example for providing anti-debugging to mutually monitor a process state whether a parent process and a child process are being debugged.
  • the program is stored in the auxiliary memory device 130 and executed, the program is loaded into the main memory 120 and processed by the central processing unit 110 and the result is displayed on the display 140. .
  • the program runs, it creates a child process that looks the same as itself (Fork) and becomes the parent process of the child process.
  • the parent process and the child process monitor each other's process status to prevent program analysis by debugging.
  • FIG. 2 is an exemplary diagram of a configuration of a process control block.
  • the process control block 200 may include a process state 210, a process identifier 220, a program counter 230, a register 240, memory management information 250, and file information 260. It includes information such as.
  • the process state 210 information stores information indicating a state of a process, such as created, ready, running, waiting, terminated, traced, and the like.
  • Process identifier 220 is identifier information for identifying a running process of the system.
  • the program counter 230 is address information of a command to be executed next by a process.
  • the register 240 is for storing a register value included in the CPU, the memory management information 250 stores information about an address space of the process, and the file information 260 is used for inputting and outputting the process. It keeps the information of I / O device and file being opened.
  • FIG. 3 is an exemplary diagram of a state transition process of a process.
  • FIG. 3 is an exemplary diagram illustrating a process of generating a process and transferring process state information included in the process control block of FIG. 2.
  • a program stored in the auxiliary memory device 130 is executed and loaded into the main memory 120 to generate a process and undergo an initialization process.
  • the process status value in the process control block is set to Create (New or Create) 310.
  • the process is created but not yet executable by the operating system.
  • the processor In order for the process to be created and executed, the processor must be prepared to run while waiting to receive CPU from a queue in the kernel of the operating system (320).
  • the process status value is Ready 320.
  • the process status value becomes Running 330.
  • I / O input / output
  • an I / O request is sent to the system and the process is waiting (340).
  • the process becomes ready state 320 to be executed again, and when it is its turn, the CPU is allocated and the state of the process becomes a running state 330.
  • the process completes its work, it returns to the system all resources it has occupied and terminates. The state at the time the process returns its resources to the system for termination is Terminated 350.
  • the process attaches to the debugger for debugging in either state before it terminates, the process's state transitions to the tracked or stopped state. You can also run the program on the debugger, but the generated process will be tracked.
  • the technical idea of the present invention is to grasp the state transition of such a process to determine the debugging state, and when it is determined as the debugging state, to stop the execution of the process so as not to analyze the program through debugging. This will be described in detail with reference to FIGS. 4A and 4A.
  • 4A is a flowchart of a process of monitoring a child process by a parent process according to the present embodiment.
  • the program is executed and loaded into the main memory 120 to generate a process (S410). Although the generated process shares the program code, it generates a child process having a separate address space (S420). The process that created the child process is called the parent process.
  • the parent process continuously checks whether the process state of the child process is tracked (Traced or Stopped) state (S430). The process of monitoring the child process by the parent process is continuously performed while not being terminated depending on whether the program is terminated (S440).
  • Debuggers such as the Gnu Debugger (GDB), can debug programs by running them in the debugger or attaching processes that are already running.
  • the memory cheat program also changes the state of the process to the tracked state and then changes the memory value of the desired location.
  • the state of the child process changes to a tracked state, it can be determined that the child process is being analyzed by a dynamic analysis tool such as a debugger or a memory cheat program.
  • a dynamic analysis tool such as a debugger or a memory cheat program.
  • the reason that the tracked state of a process can be determined as the debugging state is that when the debugger is used to debug the process, the process state is changed to the tracked state.
  • the tracked state is the process's Stopped state, which appears when the process is attached to a debugger, such as GDB, or when setting and debugging break points in the debugger. Therefore, the traced state can be determined as the debugging state.
  • This analysis of the program can be prevented by stopping the process as soon as it knows that the process is in a tracked state.
  • the parent process also monitors whether the child process has terminated and, if found, terminates the parent process.
  • 4B is a flowchart of a process in which a child process monitors a parent process according to the present embodiment.
  • the child process After the child process is generated by the parent process (S450), the child process continuously checks whether the state of the parent process is tracked (S460). If the state of the parent process has changed to a tracked state, it can be determined that the parent process is being analyzed by a debugger or a dynamic analysis tool such as a memory cheat program. The process of monitoring the parent process of the child process is continuously performed while not being terminated depending on whether the program is terminated (S470). If it is determined that the program is being analyzed, the parent process may be terminated and the child process may be terminated in the same manner as in FIG. 4A to prevent the program from being analyzed. The child process also monitors whether the parent process has terminated and, if found, terminates the child process.
  • the monitoring of the parent process and the child process is done only by the parent process. State monitoring, which does not work because the process is stopped when the parent process itself changes to the tracked state. Status monitoring consisting of only parent process cannot monitor its tracked status, so it creates parent process and child process and monitors each other.
  • the other process can detect this and stop the process.
  • FIG. 5 is an exemplary diagram of a state where a parent process and a child process monitor each other according to the present embodiment.
  • FIG. 5 shows that a program is executed to create a parent process 510 (Create), the parent process 510 creates a child process 520 (Fork), and the parent process 510 is a process state of the child process 520.
  • the child process 520 is an example of a state of monitoring a state of a parent process.
  • the parent process 510 and the child process 520 running in the main memory 120 are always paired to monitor each other. If one of the processes is terminated or changed to the tracked state, the other process also terminates or terminates one process and terminates itself to prevent the program from being analyzed.
  • FIG. 6 is a block diagram of an anti-debugging device according to the present embodiment.
  • the anti-debugging device 600 includes a parent process 610 and a child process 620.
  • the parent process 610 includes a child process generation unit 612 for generating a child process 620, a child process monitoring unit 614 for monitoring a process state of the generated child process 620, and parent process state information.
  • a process control block 200 for storing information for managing the parent process.
  • the child process monitor 614 may be generated as a separate thread for monitoring the child process 620.
  • the child process monitoring unit 614 continuously checks whether the process state information of the process control block 200 in the child process 620 is tracked. If it is determined that the state information of the process is in the tracked state, it is determined that the program is analyzed by a debug or a memory cheat program, and the parent process 610 and the child process 620 are terminated. If no child process 620 exists, the parent process 610 terminates. You can also create a separate thread in the child process to monitor the parent process.
  • the child process 620 includes a parent process monitor 622 for monitoring a process state of the parent process 610 and a process control block 200 for storing information for managing a process including child process state information. do.
  • the parent process monitor 622 of the child process 620 continuously checks whether the process state of the process control block 200 of the parent process 610 is tracked.
  • the parent process monitor 622 may operate as a separate thread in the child process 620. If it is determined that the state information of the process is in the tracked state, it is determined that the program is analyzed by a debugger or a memory cheat program, and the parent process 610 and the child process 620 are terminated. In addition, if the parent process 610 does not exist, the child process 620 terminates.
  • the anti-debugging device 600 is a personal computer (PC), a notebook computer, a tablet (Tablet), a personal digital assistant (PDA), a game console, a portable multimedia player (PMP) Or a user terminal such as a portable multimedia player (PSP), a PlayStation Portable (PSP), a wireless communication terminal, a smart phone, a TV, a media player, or the like.
  • the anti-debugging device 600 according to the embodiment of the present invention may be a server terminal such as an application server and a service server.
  • the anti-debugging device 600 is (i) a communication device such as a communication modem for performing communication with various devices or wired and wireless communication networks, and (ii) a memory for storing data for executing a program. and (iii) a variety of devices including microprocessors for executing and operating programs.
  • the memory may be a computer such as random access memory (RAM), read only memory (ROM), flash memory, optical disk, magnetic disk, solid state disk (SSD), or the like. It may be a readable recording / storage medium.
  • the microprocessor may be programmed to selectively perform one or more of the operations and functions described in the specification.
  • the microprocessor may be implemented as hardware, such as an Application Specific Integrated Circuit (ASIC), in whole or in part.
  • ASIC Application Specific Integrated Circuit

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)
PCT/KR2014/010446 2013-11-14 2014-11-03 안티디버깅 방법 WO2015072689A1 (ko)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US15/036,535 US20160300044A1 (en) 2013-11-14 2014-11-03 Anti-debugging method
CN201480065611.2A CN105793860A (zh) 2013-11-14 2014-11-03 反调试方法
JP2016530187A JP2016538641A (ja) 2013-11-14 2014-11-03 アンチデバッグ方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2013-0138644 2013-11-14
KR1020130138644A KR101519845B1 (ko) 2013-11-14 2013-11-14 안티디버깅 방법

Publications (1)

Publication Number Publication Date
WO2015072689A1 true WO2015072689A1 (ko) 2015-05-21

Family

ID=53057586

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2014/010446 WO2015072689A1 (ko) 2013-11-14 2014-11-03 안티디버깅 방법

Country Status (5)

Country Link
US (1) US20160300044A1 (zh)
JP (1) JP2016538641A (zh)
KR (1) KR101519845B1 (zh)
CN (1) CN105793860A (zh)
WO (1) WO2015072689A1 (zh)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106021106A (zh) * 2016-05-19 2016-10-12 北京金山安全软件有限公司 一种进程控制方法及用户终端
CN106055935A (zh) * 2016-05-19 2016-10-26 北京金山安全软件有限公司 一种进程控制方法、装置及电子设备
CN106055397A (zh) * 2016-05-30 2016-10-26 新浪网技术(中国)有限公司 一种锁的控制方法及装置
EP3239841A1 (en) * 2016-04-28 2017-11-01 Beijing Xiaomi Mobile Software Co., Ltd. Method and device for managing application program
US11409635B2 (en) 2019-08-23 2022-08-09 Raytheon Company Hacker-resistant anti-debug system

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101583545B1 (ko) * 2015-07-22 2016-01-08 주식회사 엔에스에이치씨 상호 디버깅 감시를 이용한 모바일 단말기의 어플리케이션의 보안을 향상시키는 보안 제공 방법
CN108021791B (zh) * 2016-10-31 2021-08-10 腾讯科技(深圳)有限公司 数据保护方法及装置
CN106778104B (zh) * 2017-01-20 2019-10-25 武汉斗鱼网络科技有限公司 一种应用程序的反调试方法和系统
CN106845170B (zh) * 2017-01-20 2019-11-15 武汉斗鱼网络科技有限公司 一种反调试方法和系统
CN107122656B (zh) * 2017-04-26 2020-03-06 北京梆梆安全科技有限公司 一种通过自调试防止外部调试的方法和装置
CN107239698A (zh) * 2017-05-27 2017-10-10 北京洋浦伟业科技发展有限公司 一种基于信号处理机制的反调试方法和装置
CN108256318A (zh) * 2018-01-15 2018-07-06 郑州云海信息技术有限公司 一种进程安全运行方法、装置及终端
CN108388778B (zh) * 2018-03-21 2021-03-30 北京理工大学 Android平台融合多特征的APP反调试方法
WO2019231000A1 (ko) * 2018-05-29 2019-12-05 라인플러스 주식회사 프로그램 보호를 위한 자바 디버거 차단 방법 및 시스템
WO2019235664A1 (ko) * 2018-06-08 2019-12-12 라인플러스 주식회사 프로그램 보호를 위한 디버거 차단 방법 및 시스템
CN109408158B (zh) * 2018-11-06 2022-11-18 恒生电子股份有限公司 子进程随父进程退出的方法及装置、存储介质及电子设备
CN111639312B (zh) * 2020-06-02 2023-04-14 腾讯科技(成都)有限公司 反调试方法、装置、存储介质及电子装置
CN112948241B (zh) * 2021-02-09 2024-02-06 北京奇艺世纪科技有限公司 应用程序的反调试方法、装置、电子设备及存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH086813A (ja) * 1994-06-23 1996-01-12 Hitachi Ltd トレース制御方式
JP3049010B2 (ja) * 1998-06-23 2000-06-05 日本電気ソフトウェア株式会社 親子関係疑似継続装置および方法
KR20030058144A (ko) * 2001-12-29 2003-07-07 엘지엔시스(주) 정보통신 시스템의 프로세스 장애 감시방법 및 복구방법
KR101057432B1 (ko) * 2010-02-23 2011-08-22 주식회사 이세정보 프로세스의 행위 분석을 통한 유해 프로그램을 실시간으로 탐지하고 차단하는 시스템, 방법, 프로그램 및 기록매체

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS60175959A (ja) * 1984-02-21 1985-09-10 Matsushita Electric Ind Co Ltd 水管式ボイラ−
JP2006176352A (ja) * 2004-12-21 2006-07-06 Maruhachi Glass Ten:Kk 色補正方法、該方法を利用した光透過部材、構成体、及び該光透過部材、構成体の製造方法
JP4048382B1 (ja) * 2006-09-01 2008-02-20 富士ゼロックス株式会社 情報処理システムおよびプログラム
CN100543683C (zh) * 2006-12-26 2009-09-23 华为技术有限公司 对进程进行监控的方法和系统
EP2397964A4 (en) * 2009-02-16 2014-08-13 Panasonic Corp DEVICE FOR IDENTIFYING ILLEGAL MODULES, INFORMATION PROCESSING DEVICE, METHOD FOR IDENTIFYING ILLEGAL MODULES, IDENTIFICATION PROGRAM FOR ILLEGAL MODULES, INTEGRATED CIRCUIT, ILLEGAL MODULES DEACTIVATION SYSTEM, AND ILLEGAL MODULES DEACTIVATION DEVICE
EP2979211B1 (en) * 2013-03-27 2020-09-09 Irdeto B.V. Protecting software application

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH086813A (ja) * 1994-06-23 1996-01-12 Hitachi Ltd トレース制御方式
JP3049010B2 (ja) * 1998-06-23 2000-06-05 日本電気ソフトウェア株式会社 親子関係疑似継続装置および方法
KR20030058144A (ko) * 2001-12-29 2003-07-07 엘지엔시스(주) 정보통신 시스템의 프로세스 장애 감시방법 및 복구방법
KR101057432B1 (ko) * 2010-02-23 2011-08-22 주식회사 이세정보 프로세스의 행위 분석을 통한 유해 프로그램을 실시간으로 탐지하고 차단하는 시스템, 방법, 프로그램 및 기록매체

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3239841A1 (en) * 2016-04-28 2017-11-01 Beijing Xiaomi Mobile Software Co., Ltd. Method and device for managing application program
US10114735B2 (en) 2016-04-28 2018-10-30 Beijing Xiaomi Mobile Software Co., Ltd. Method, device and medium for managing application program
CN106021106A (zh) * 2016-05-19 2016-10-12 北京金山安全软件有限公司 一种进程控制方法及用户终端
CN106055935A (zh) * 2016-05-19 2016-10-26 北京金山安全软件有限公司 一种进程控制方法、装置及电子设备
CN106055397A (zh) * 2016-05-30 2016-10-26 新浪网技术(中国)有限公司 一种锁的控制方法及装置
CN106055397B (zh) * 2016-05-30 2019-09-27 新浪网技术(中国)有限公司 一种锁的控制方法及装置
US11409635B2 (en) 2019-08-23 2022-08-09 Raytheon Company Hacker-resistant anti-debug system

Also Published As

Publication number Publication date
KR101519845B1 (ko) 2015-05-13
JP2016538641A (ja) 2016-12-08
US20160300044A1 (en) 2016-10-13
CN105793860A (zh) 2016-07-20

Similar Documents

Publication Publication Date Title
WO2015072689A1 (ko) 안티디버깅 방법
US9507939B1 (en) Systems and methods for batch processing of samples using a bare-metal computer security appliance
US9619346B2 (en) Virtual machine introspection facilities
Williams et al. Device Driver Safety Through a Reference Validation Mechanism.
US9965313B2 (en) Systems and methods for auditing a virtual machine
US10984096B2 (en) Systems, methods, and apparatus for detecting control flow attacks
US10127137B2 (en) Methods and systems for increased debugging transparency
Prakash et al. Enforcing system-wide control flow integrity for exploit detection and diagnosis
WO2013134206A1 (en) Automatically bridging the semantic gap in machine introspection
US8875114B2 (en) Employing identifiers provided by an operating system of a processing environment to optimize the processing environment
US11797398B2 (en) Systems and methods for checking safety properties
CN106909835B (zh) 一种基于cpu时空隔离机制实现内核完整性度量的方法
US10129275B2 (en) Information processing system and information processing method
CN105095763B (zh) 漏洞防御方法及装置、电子设备
JP2015018552A (ja) 安全保護方法およびプロセッサ
CN112231198B (zh) 一种恶意进程调试方法、装置、电子设备及介质
WO2023027228A1 (ko) 응용프로그램의 실행 흐름 변경을 통한 비실행 파일의 악성 탐지 방법 및 장치
CN107291617B (zh) 一种基于隐式污点传播的漏洞分析方法
KR20110057297A (ko) 악성 봇 동적 분석 시스템 및 방법
Molyakov Token scanning as a new scientific approach in the creation of protected systems: A new generation OS MICROTEK
WO2019235664A1 (ko) 프로그램 보호를 위한 디버거 차단 방법 및 시스템
CN109472133B (zh) 一种沙箱监控方法和装置
WO2019231000A1 (ko) 프로그램 보호를 위한 자바 디버거 차단 방법 및 시스템
Liu et al. A Survey of Security Analysis on Industrial Control Devices via Rehosting
WO2010036057A2 (ko) 불법적인 메모리 접근을 진단하는 악성 프로그램 탐지기 및 그 제어방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14861626

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016530187

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 15036535

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14861626

Country of ref document: EP

Kind code of ref document: A1